Abstract | ||
---|---|---|
Certificate Authorities (CAs) regularly make mechanical errors when issuing certificates. To quantify these errors, we introduce ZLint, a certificate linter that codifies the policies set forth by the CA/Browser Forum Baseline Requirements and RFC 5280 that can be tested in isolation. We run ZLint on browser-trusted certificates in Censys and systematically analyze how well CAs construct certificates. We find that the number errors has drastically reduced since 2012. In 2017, only 0.02% of certificates have errors. However, this is largely due to a handful of large authorities that consistently issue correct certificates. There remains a long tail of small authorities that regularly issue non-conformant certificates. We further find that issuing certificates with errors is correlated with other types of mismanagement and for large authorities, browser action. Drawing on our analysis, we conclude with a discussion on how the community can best use lint data to identify authorities with worrisome organizational practices and ensure long-term health of the Web PKI. |
Year | DOI | Venue |
---|---|---|
2018 | 10.1109/SP.2018.00015 | 2018 IEEE Symposium on Security and Privacy (SP) |
Keywords | Field | DocType |
TLS,HTTPS,PKI,Certificates,Compliance,Baseline Requirements,RFC 5280 | Public key infrastructure,Internet privacy,Computer science,Cryptography,Computer security,Certificate authority,Certificate | Conference |
ISSN | ISBN | Citations |
1081-6011 | 978-1-5386-4354-9 | 4 |
PageRank | References | Authors |
0.41 | 13 | 10 |
Name | Order | Citations | PageRank |
---|---|---|---|
Deepak Kumar | 1 | 4 | 0.41 |
Zhengping Wang | 2 | 4 | 1.08 |
Matthew Hyder | 3 | 4 | 0.41 |
Joseph Dickinson | 4 | 4 | 0.75 |
Gabrielle Beck | 5 | 4 | 1.08 |
David Adrian | 6 | 222 | 11.07 |
Joshua Mason | 7 | 108 | 9.79 |
Zakir Durumeric | 8 | 935 | 48.86 |
J. Alex Halderman | 9 | 2301 | 149.67 |
Michael Bailey | 10 | 1335 | 78.22 |